February 19, 2013

High-Tech Hackers Linked To Chinese Military, Beijing Denies Claims

Last month, the New York Times reported a string of cyber attacks launched against them which spanned nearly 3 months. The Times hired out Alexandria-based Mandiant to investigate these attacks. This team of security experts tracked these attacks back to China and observed the hacking techniques used resembled those often employed by China´s military.

Now, Mandiant has released another report which claims a secret arm of China´s military has launched more than 100 attacks on US organizations since 2006. According to this new report, all of these attacks have been carried out by a group of English-speaking hackers from one building in China´s Pudong district. China has denied these claims, calling the accusations “unprofessional.”

Mandiant points to a single, secretive military group within the second bureau of China´s People´s Liberation Army General Staff Department´s 3rd Department as responsible for these attacks. This group is also known as Unit 61398.

“The nature of 'Unit 61398's' work is considered by China to be a state secret; however, we believe it engages in harmful 'Computer Network Operations'," reads the Mandiant report. "It is time to acknowledge the threat is originating in China, and we wanted to do our part to arm and prepare security professionals to combat that threat effectively.”

China´s Defense Ministry has already spoken out against Mandiant´s report, admitting cyber attacks are a growing threat in the world. "The Chinese army has never supported any hacking activity," claimed China´s Defense Ministry in statement to Reuters. "Statements about the Chinese army engaging in cyber attacks are unprofessional and not in line with facts."

China´s Ministry of Foreign Affairs spokesperson Hong Lei also spoke out against this report, saying: “Hacking attacks are transnational and anonymous,” and claiming Chinese officials “don´t know how the evidence in this so-called report can be tenable.”

During their research, Mandiant found an overwhelming number of attacks originated with the APT1 group and to servers located in a 12-story building where Unit 61398 is believed to be located. Upon this report´s release, BBC reporter John Sudworth and a film crew visited this building but were detained by Chinese soldiers and kept until they agreed to hand over their footage.

"We believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support," claims Mandiant in their report. They also uncovered evidence which suggests China Telecom has provided high-speed, fiber optic cable to this building for reasons of “national defense.”

Mandiant believes APT1 is responsible for hacking into 141 computers across 20 countries, including Canada, the UK and the US. These hackers are believed to be able to steal from dozens of networks simultaneously. So far, Mandiant says they´ve stolen hundreds of terabytes worth of data, including business plans, contact lists, emails and user credentials. On average, these hackers monitor a network for about 356 days, though they remained inside one network for 1,764 days in a row. Mandiant also outlined, in detail, the methods used to track these attacks as well as suggestions to protect networks from these hackers.